You use the --security-gateway attribute to enable SGD Gateway usage for the SGD array. The attribute defines the SGD Clients that can access the SGD Gateway, based on their IP address or DNS name.
Changes to the --security-gateway attribute apply to all SGD servers in the array.
The syntax for the attribute is as follows:
--security-gateway filter-spec...
Replace filter-spec with a filter specification of the type:
client-ip-address|*:gateway protocol:gateway-address:gateway-port
where client-ip-address is the IP address of the SGD Client. An asterisk, *, represents all IP addresses. For connections through the SGD Gateway, this is the address that the SGD servers in the array use to connect to the SGD Gateway.
Note - If you are using an external load balancer with the SGD Gateway, type the address of the load balancer for the client-ip-address.
The gateway protocol is sgdg for connections through the SGD Gateway, or direct for SGD Clients that connect directly to an SGD array, without going through the SGD Gateway.
The gateway-address is the external address of the SGD Gateway, or an external load balancer, if used. This is the address that client devices use to contact the SGD Gateway.
The gateway-port is the port that client devices use to connect to the SGD Gateway, or an external load balancer, if used.
Separate multiple filter-spec entries with a “;” character.
The following example enables all SGD Clients to connect using TCP port 443 of the SGD Gateway gateway1.example.com.
$ tarantella config edit --security-gateway "*:sgdg:gateway1.example.com:443"
The following example enables all SGD Clients to connect using an external load balancer, lb.example.com.
$ tarantella config edit --security-gateway \ "*:sgdg:lb.example.com:443"
You can use multiple filter specifications, as shown in the following example.
Consider a basic deployment, as shown in Using Multiple Filter Specifications. The deployment uses a single
SGD Gateway, gateway1.example.com, with an SGD array that contains two SGD servers, sgd1.example.com
and sgd2.example.com. The address of the SGD Gateway on the internal network is
192.168.0.250.
The following filter specification might be used for this example:
"192.168.0.250:sgdg:gateway1.example.com:443; \ *:direct:sgd1.example.com:80"
With this configuration, the following applies:
Connections to the SGD servers in the array are allowed from the SGD Gateway IP address, 192.168.0.250. SGD Clients outside the organization connect using TCP port 443 of the SGD Gateway, gateway1.example.com.
All other SGD Clients, such as those on the local area network (LAN), connect directly to TCP port 80 on the SGD server sgd1.example.com. These connections do not use the SGD Gateway.
The order of the filters is important. If the order of the filters is reversed, all SGD Clients connect directly to the SGD server sgd1.example.com.